org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /jsecuritycheck at the end of a URI.
{ "nvd_published_at": "2012-12-19T11:55:00Z", "cwe_ids": [ "CWE-287" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-07-13T21:29:14Z" }